Network authentication

ABSTRACT

An existing communications device, such as a WAP-enabled mobile phone or other device, can be used as an authentication token.  
     This has the advantage that WAP-enabled devices include components which are used in public key/private key cryptographic systems as a part of their standard communication functions. These components therefore advantageously allow the device to be used as an authentication token when communicating with a remote server.

TECHNICAL FIELD OF THE INVENTION

[0001] This invention relates to the field of computer security, and inparticular to the authentication of a user over a computer network.

BACKGROUND OF THE INVENTION

[0002] It is desirable to be able to transmit confidential and personalinformation over unsecured public computer networks, such as theinternet. To allow this, it is necessary to provide a secureregistration system, which allows an individual user to have confidencethat personal information transmitted over the network will remainconfidential. Conversely, a service provider may wish to ensure thatonly some computer users are able to access specific information.

[0003] U.S. Pat. No. 5,784,463 describes a system in which a computersystem is secured against authorized access, while date exchanged by auser with the computer system is encrypted when it is sent over thepublic network.

[0004] More specifically, U.S. Pat. No. 5,784,463 describes the use ofan authentication token, which may be a hardware device or which may bea software module, which allows the user to authenticate himself to theremote computer. In this prior art system, shared secret keys providemutual authentication between the two users. The shared secret keys aregenerated only at the time of registration, and are distributed using apublic key/private key cryptographic system.

[0005] This system has the disadvantage that, before a computer user cantake part in secure online transactions using the described system, hemust obtain a separate authentication token. Further there is a costassociated with the distribution of such tokens, either to pay for theadditional hardware, or to supply information for the software module.

SUMMARY OF THE INVENTION

[0006] In accordance with a preferred aspect of the invention, anexisting communications device can be used as an authentication token.

[0007] In a preferred embodiment of the invention, a communicationsdevice which has a cryptographic module for use in mobilecommunications, can be used as an authentication token. For example, thedevice may be a device which can operate under the Wireless ApplicationProtocol, that is, a WAP-enabled device, such as a mobile phone. Thishas the advantage that WAP-enabled devices include components which areused in public key/private key cryptographic systems as a part of theirstandard communication functions. These components thereforeadvantageously allow the device to be used as an authentication tokenwhen communicating with a remote server. Advantageously, the device canuse Wireless Transport Layer Security (WTLS) for mobile communications,and employs its cryptographic module when in use as an authenticationtoken.

[0008] It should be emphasised that the term “comprises/comprising” whenused in this specification is taken to specify the presence of statedfeatures, integers, steps or components but does not preclude thepresence or addition of one or more other features, integers, steps,components or groups thereof.

BRIEF DESCRIPTION OF DRAWINGS

[0009]FIG. 1 is a schematic illustration of a network in which thepresent invention can be implemented.

[0010]FIG. 2 is a flow chart showing a first authentication method inaccordance with the invention.

[0011]FIG. 3 is a flow chart showing a second authentication method inaccordance with the invention.

DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS

[0012]FIG. 1 shows a system in accordance with the invention, whichallows a user to communicate securely over the internet. As isconventional, the user has a WAP-enabled device, for example, a mobilephone 10. The mobile phone 10 communicates over a wireless interfacethrough a wireless modem 15 with a WAP Gateway 20. The WAP Gateway 20,for example, converts signals between different protocols used over thewireless network and over the wired networks which are involved.

[0013] As an example, the WAP Gateway 20 has an interface for connectionto a Wireless Telephony Application (WTA) server 30, which providestelephony-related functions, such as handling voice calls or textmessages.

[0014] One specific use of WAP-enabled devices is to access theinternet, and in particular to access the information on web pages whichare specifically designed for that purpose.

[0015] Thus, the WAP Gateway 20 also includes an interface forconnection to a Wireless Applications Environment (WAE) server 40. TheWAE server 40 is in turn connected to the internet 50. Data which may beaccessed by a WAP-enabled device are stored on a web server 52. As iswell known, the internet is made up of very many servers of this type,storing such information.

[0016] As is known, content on web pages which are intended to beaccessed by web-enabled devices is conventionally written using WirelessMarkup Language (WML), a language which is designed to meet theconstraints which typically apply in this environment, namely therelatively low bandwidth available in the wireless interface, and thegenerally small available display sizes on the handheld WAP-enableddevices such as mobile phones.

[0017] In order to enhance services written in WML, a scripting languageWMLScript, can be used.

[0018] In order to provide security between the WAP-enabled clientdevice 10 and the WAP Gateway 20, Wireless Transport Layer Security(WTLS) can be used. This provides confidentiality for users, byencrypting messages which are transmitted over the wireless interface,and also provides authentication, by means of digital certificates.

[0019] In order to provide this WTLS functionality, the WAP-enableddevice 10 includes a cryptographic module, which uses an embedded publickey and private key on handshake for authentication, then generatessymmetric session keys, which are used to encode messages beforetransmission and to decode received messages,

[0020] For example, the cryptographic module can be realised in hardwareor in software in the phone 10, or may be provided on an external smartcard, or the phone 10 may also include a Wireless Identity Module (WIM)card, which is used to identify the subscriber.

[0021] In accordance with preferred embodiments of the presentinvention, the cryptographic module of the phone, and other featureswhich are used to provide secure communication using the WirelessApplication Protocol, also allow the phone 10 to be used as anauthentication token for other communications.

[0022] In the case where the cryptographic module is embodied inhardware, the necessary information is provided on an integrated circuitin the device. Where the Wireless Public Key Infrastructure (WPKI) isused to distribute the parameters for WTLS, it can also be used todistribute the parameters required for use as an authentication token.

[0023] When communicating in the WAP environment, for example,authentication can take place at the WAP Gateway 20 using the device 10as an authentication token, and can also take place at the modem 15and/or at the web server 52. Thus, the modem can have an associatedauthentication server 17, the WAP Gateway can have an associatedauthentication server 22, and a web server 52 can have an associatedauthentication server 54. The authentication server 54 associated with aweb server 52 can be directly connected thereto, or (as shown in FIG. 1)can be connected thereto over the internet.

[0024] Carrying out additional authentications in this way can provideadditional security. In addition, using the device as an authenticationtoken to carry out authentications at the WAP Gateway avoids the needfor the user to enter a password, which increases the convenience forthe user.

[0025]FIG. 2 shows the operation of the device 10 as an authenticationtoken in the WAP environment. This operation will be described here withreference to a situation in which the device 10 is authenticated to theauthentication server 17 associated with the modem 15. However, asmentioned above, authentication can take place in a similar way at manypoints in the network.

[0026] At step 70, the user starts the WAP browser software in thedevice 10, and attempts to communicate through the modem 15. In thiscase, the modem 15 requires authentication, and the device 10 detectsthis requirement at step 72.

[0027] At step 74, the device verifies the identity of the user. As partof this procedure, the device gives a prompt to the user, asking theuser to identify himself. One possibility is to require the user toenter a Personal Identification Number (PIN). However, to provide anadditional layer of security, the device 10 can also use a form ofbiometrics to provide user authentication. Thus, for example, the device10 can include means for examining a physical feature which uniquely ornearly uniquely identifies a user, such as his fingerprints or voicerecognition or another biometric technique, and allowing the user accessto the system only if that physical feature is found to match theintended user.

[0028] Once the user has authenticated himself to the token, the tokencan authenticate itself to the modem 15, at step 76. Thus, using aselected authentication protocol, the token performs the necessarycalculations, and, at step 78, information is provided to the WAPbrowser software, for example allowing it to respond to challenges fromthe authentication server 17, or to generate a password based on offlineinformation.

[0029] More details about an authentication protocol which may be usedcan be found in the document “Entity Authentication Using Public KeyCryptography”, Federal Information Processing Standards Publication FIPSPUB 196 of February 1997.

[0030] Such an authentication procedure may be used in the WAPenvironment in many situations. For example, the user may use the device10 to authenticate himself to a bank machine, or to a further devicewhich controls access to a building or area.

[0031] In an alternative embodiment of the invention, the device 10 canbe used as an authentication token when a user wishes to access theinternet 50 using a personal computer 60.

[0032] As is well known, a personal computer has the advantage, comparedwith current mobile devices, that it has a wider range of input options(such as a full size keyboard and a mouse), and has a larger display forretrieved data. Further, the personal computer 60 is provided with awired broadband connection to the internet 50. Possible uses of apersonal computer 60, in conjunction with the internet 50, includeretrieving data from servers to which there is intended to be restrictedaccess, and carrying out online transactions, which may includetransmitting confidential user information to a third party computer. Asdescribed above, the third party computer, from which information is tobe retrieved, or to which information is to be transmitted, has anassociated authentication server 54.

[0033] Also, FIG. 2 shows the PC connected to the internet 50 through amodem 56, which has an associated authentication server 58. Thedescription below refers to authentication towards the authenticationserver, but the same procedure can be used to authenticate towards theauthentication server 58.

[0034] Secure communications between the personal computer 60 and theauthentication server 54 can then be achieved using an authenticationtoken, as is generally known. In accordance with the invention, theauthentication token can use the cryptographic components of a device,which also uses those components in, for example, WTLS communications.

[0035]FIG. 3 shows the operation of the device 10 as an authenticationtoken in conjunction with the PC 60.

[0036] At step 80, the user starts the application which requiresauthentication, and the authentication functionality of the device 10 isstarted.

[0037] At step 82, the device verifies the identity of the user. Asdescribed with reference to FIG. 2, the user may be required to enter aPersonal Identification Number (PIN), while, to provide an additionallayer of security, the device 10 can also use a form of biometrics toprovide user authentication.

[0038] Once the user has authenticated himself to the token, the tokencan authenticate itself to the web server, at step 84. Using theselected authentication protocol, the token performs the necessarycalculations to generate the required passwords, and, at step 86,information is sent to the authentication server 54.

[0039] Again, a suitable authentication protocol is described in thedocument “Entity Authentication Using Public Key Cryptography”, FederalInformation Processing Standards Publication FIPS PUB 196 of February1997.

[0040] In outline, when the user first contacts the authenticationserver 54, the authentication server issues a challenge to the user. Theauthentication token encrypts the challenge with the user's private key,and returns it to the authentication server. The returned challenge isthen decrypted by the authentication server with the user's public key,and the authentication server verifies that the decrypted challenge isthe same as the original challenge.

[0041] Thus, there is no requirement for a user to enter a password tobe able to access confidential information which is on theauthentication server 54. The necessary password can in effect begenerated automatically by the WAP-enabled device 10, using the publickey infrastructure provided by the cryptographic module of the device,on the basis of the identity of the user confirmed by the wirelessidentity module in the device.

[0042] In this way, the WAP-enabled device 10 can be used anauthentication token for multiple authentication servers, includingauthentication servers from multiple manufacturers. All that isnecessary is for an authentication server and the device 10 to be ableto operate the same authentication protocols.

[0043] It will be appreciated that, for example with appropriatesoftware in the device, it can use any suitable authenticationalgorithm. The cryptographic module in the device can be used in anysuitable method for generating passwords and encrypting communications,although use of Wireless Public Key Infrastructure is preferred.

[0044] The WAP-enabled device allows the use of digital signatures, forthe purposes of non-repudiation. This same functionality can also bere-used when the device is being used as an authentication token.

[0045] In the case where the device 10 is used as an authenticationtoken for a personal computer, described above with reference to FIG. 3,there is preferably a connection between the personal computer 60 andthe WAP-enabled mobile phone 10. The connection may be wired, or,advantageously, communications between the personal computer 60 andmobile phone 10 can take place using the Bluetooth short-range radiotransmission protocol.

[0046] When there is a connection between the personal computer 50 andthe WAP-enabled mobile phone 10, whether this is wireless or wired, andthe personal computer requires to use the phone 10 as an authenticationtoken, this functionality of the phone must be started. This can becarried out automatically by means of a specific command sent from thepersonal computer to the phone, and may alternatively or additionally becarried out in response to a specific keypress on the keyboard of thephone.

[0047] When used with a personal computer in this way, commands may betransferred to and from the device using the AT protocol. Thus, forexample, passwords which are generated in the mobile phone 10 acting athe authentication token are transferred to the personal computer 60,and can be automatically sent to the authentication server.

[0048] However, a manual operation is also possible, in which thenecessary authentication calculations are carried out in theauthentication token, and the required password or passwords aredisplayed on a screen of the device, and can be manually entered by theuser through the keyboard of the personal computer, and can then be sentto the authentication server.

[0049] There is thus disclosed an authentication token which is readilyavailable, since it re-uses functionality and infrastructure whichalready exist for WAP-enabled devices.

1. A method of authenticating communications, the method comprising:using a mobile communications device, which includes a cryptographicmodule for use in mobile communication, as an authentication token.
 2. Amethod of authenticating communications as claimed in claim 1, whereinthe mobile communications device is a WAP-enabled device.
 3. A method ofauthenticating communications as claimed in claim 1 or 2, wherein theuse of the mobile communications device as an authentication tokenincludes using public key encryption of communications.
 4. A method ofauthenticating communications as claimed in claim 1, 2 or 3, wherein themobile communications device uses the cryptographic module for WirelessTransport Layer Security communications.
 5. A method of authenticatingcommunications as claimed in claim 1, 2, 3 or 4, wherein the mobilecommunications device is used as an authentication token for a computer,and authenticates communications between the computer and anauthentication server.
 6. A method of authenticating communications asclaimed in claim 5, comprising providing a wired connection between themobile communications device and the computer.
 7. A method ofauthenticating communications as claimed in claim 5, comprisingproviding a wireless connection between the mobile communications deviceand the computer.
 8. A mobile communications device, comprising acryptographic module, the cryptographic module being usable: (a) forencoding wireless communications from the device; (b) for authenticatinga user of the device towards an authentication server.
 9. A mobilecommunications device as claimed in claim 8, the cryptographic modulebeing usable for authenticating a user of a separate computer towardsthe authentication server.
 10. A mobile communications device as claimedin claim 9, having a short-range wireless communications transceiver,for sending signals to and receiving signals from the computer.
 11. Amobile communications device as claimed in claim 10, wherein theshort-range wireless communications transceiver uses Bluetooth wirelesstechnology.
 12. A mobile communications device as claimed in one ofclaims 8-11, wherein the cryptographic module is usable to supportwireless communications using Wireless Transport Layer Security.
 13. Amobile communications device as claimed in one of claims 8-12, havingmeans for allowing biometric identification of a user.
 14. A mobilecommunications device as claimed in one of claims 8-13, wherein thecryptographic module uses public key cryptography.
 15. A mobilecommunications device as claimed in one of claims 8-14, comprising meansfor sending and transmitting data using WAP.
 16. A mobile communicationsdevice as claimed in one of claims 8-15, wherein the cryptographicmodule is realised in hardware in the device.
 17. A mobilecommunications device as claimed in one of claims 8-15, wherein thecryptographic module is realised in software in the device
 18. A mobilecommunications device as claimed in one of claims 8-15, wherein thecryptographic module is provided on an external smart card.
 19. A mobilecommunications device as claimed in one of claims 8-15, wherein thecryptographic module comprises a Wireless Identity Module (WIM) card.20. A mobile communications device as claimed in claim 19, wherein thecryptographic module comprises a Wireless Identity Module (WIM) cardwhich allows communications using Wireless Transport Layer Security. 21.A WAP-enabled mobile communications device, which is capable of use asan authentication token.
 22. A communications network, comprising: atleast one WAP gateway, which is enabled to encrypt communications on thebasis of Wireless Transport Layer Security; at least one authenticationserver operable in a first authentication protocol; and a WAP-enabledclient device, including a cryptographic module, the cryptographicmodule being usable for encrypting communications with the WAP gatewayusing Wireless Transport Layer Security, and the cryptographic modulebeing further usable as an authentication token for authenticating auser of the device towards the authentication server, using the firstauthentication protocol.
 23. A network as claimed in claim 22, whereinthe cryptographic module is realised in hardware in the client device.24. A network as claimed in claim 22, wherein the cryptographic moduleis realised in software in the client device.
 25. A network as claimedin claim 22, wherein the cryptographic module is provided on an externalsmart card.
 26. A network as claimed in claim 22, wherein thecryptographic module comprises a Wireless Identity Module (WIM) card.27. A network as claimed in any of claims 22-26, comprising a computer,the client device having a connection to the computer such that it actsas an authentication token therefor.